How often do you speak out loud in a public place? None of that is encrypted. Someone might overhear you.
When in a public place, you can see who's there. How often do you speak out your VISA card number, expiry date and three-digit security code in public? Okay, that is encrypted. How often do you speak out your Gmail password in public? Or the ssh password to your computer? How often do you leave your wallet and car keys lying around in public?
Maybe we need to come up with a standard way of encrypting things, that our packet sniffers somehow know how to decode. Maybe even with a "relax the crypto" configuration flag we can throw during debug.
And then only let the government and government-approved network administrators have packet sniffers, to avoid the black hats having them? Except that the Nigerian government could hand them out to any Nigerian if it felt like it, so we need trade embargoes, and...
Exactly what's the point of encrypting something if information will still leak out of the encrypted packets?
Or---when in debugging mode you could send some insensitive unencrypted traffic. That way, people can have their encryption and network debuggers can have their not-encryption.
there's no point encrypting things that are not usernames/passwords/sensitive information.
Except in the most rare cases, there's no point in encrypting user names (unless you want to argue by semantic shift).
However, whenever you do anything that requires you to be logged in (i.e. post a comment), you should have to prove that you're the rightful owner of the username you post under.
In other words, in every transaction you send some kind of secret to slashdot that proves you're you.
I want that to be guarded with HTTPS. I don't want anyone else to prove they're me. That means everything I do while I'm logged in has to be HTTPS-guarded.
I'd trade 500 bloggers for 5 Times columnists any day of the week.
If you keep your 5 Times columnists, can I have 500 insightful/. commentators?
I've learned more about politics, history, law and economics and a few other topics from reading slashdot than from three years of high school* history classes and all the news paper reading I've ever done.
(* where high school refers to the Danish three-year secondary education (stx))
And although I love being among my fellow {technology, gaming, role playing, science fiction, etc.} geeks, for the sole benefit of them being educative you can keep your Times columnists to yourself if I can have 500 insightful/. commentators.
Isn't that the real problem: that we buy devices that easily could be reprogrammable, but aren't?
Yes, watching software-decoded video on your phone is going to be a bitch, especially on the battery life. But bitchy is better than impossible.
Yeah, it sucks having to spend your afternoon upgrading your wii homebrew linux installation to the newest version and fixing the things that don't work. But it's better to do that and have a working media center than not, right?
Then again, most people don't want the same as me. Why don't people want smart computers with stupid screens, speakers and NICs, instead of the other way around?
Well okay, but aside from free voicemail and call forwarding, a free tiling map engine with some of the best map data there is, and the best web search engine, what has Google ever done for us?
So that's why nobody really cared about sitting at the cool kids' lunch table, right?
Or from 10 Things I Hate About You: "[I do this for you// what do you want from me in return// say hi to me in the hallway// ah, cool by association. Get it]"
Or from "Why Nerds are Unpopular" (http://www.paulgraham.com/nerds.html): "Few smart kids can spare the attention that popularity requires. Unless they also happen to be good-looking, natural athletes, or siblings of popular kids, they'll tend to become nerds."
Actually, it's just as easy to spot in a proportional font, because what you're comparing isn't a character count but equal prefixes. If they're strcmp-equal, wouldn't they also be pixelwidth-equal, independent of the (constantness of the) char-to-pixelwidth mapping, as long as it doesn't vary per line?
Of course, you're right in your point that it lets you compare character count visually much faster. That seems to be relevant somewhat less often, though.
A single number to identify people would be just as powerful as a SSN or driver's license number. It would make fraud so much easier.
While you are right in practice, it doesn't need to be so in theory.
On/. you are "CopaceticOpus". That is, in the slashdot universe you have a single number which identifies you. Does that make you more vulnerable to/. fraud?
No, you have a password which you use to prove that you are the person identified by the name CopaceticOpus.
The problem with SSNs is that they don't have a password.
Using a single identifier isn't a danger in itself; it just magnifies the underlying problem of not having a secure way to establish which people the identifiers identify (and which they don't).
I am "faced with the knowledge of my own terminal illness"
I take it you've been diagnosed with the dreaded Alive, Well and Happy Syndrome, caused by a complex combination of healthy diet, regular exercise, a low to moderate alcohol consumption, a lack of tobacco or nicotine intake, frequent sexual intercourse and a supportive social network.
If you consider the same set of data, encrypted winds up being larger than unencrypted, so, technically
I'd call the journey longer rather than being undertaken at a slower velocity, since at constant velocity the encrypted journey takes longer than the unencrypted one.
Oh well, I think "quick" is ambiguous: according to my dict, it can mean either "high value of 1/$s" (hasty) or "low value of $seconds" (soon). Algebraically they should be the same, but the units map to measurements of different phenomena, so they really mean different things.
And now that I think about it, "unencrypted data" and "encrypted data" is somewhat ambiguous: if we assume there's an "all else equals" implied at the end of the sentence, we really run into a contradiction: if both the input string before the encryption (including the non-encrypting identity cipher) and the output string is kept identical, it's really broken. If it's just the length, which is reasonable since that's all which should affect travel speed, it's still bad encryption, just more subtly so and not quite as bad. So exactly which two scenarios are being referred to, here?
So, wait, when I visit a page that has https:/// [https] in front of it my internet connection suddenly slows down?!
No, your access time goes up. You get fewer web pages per second, not fewer bits per second. Your internet connection speed is measured in n bits per second. This measure does not change.
How would encrypted data travel any different than unencrypted date?
You would have more roundtrips during the key exchange phase of SSL. It's not that the data travels slower, it's that there is more of it, and you have to wait for more ping-pong iterations.
but it seems much more likely that this was about them conserving CPU, not about you getting your email faster.
I think Google is acting fairly decently: they're saying "Look, we have a new service. Here why you might want to not use it: [...]". It's truth in advertisement. Even their selfish motive is quite benign, wouldn't you say?
By "not as quickly" they were probably referring to end-users' perspective more than network transmission time.
Actually encryption means that you not only have to send more data, but you also have to do more roundtrips during the initial key exchange protocol.
I would guess (meaning it's a hypothesis, not a Proven True Fact(tm)) that the decryption overhead is negligible: modern desktops and laptops are extremely powerful considering the tasks they're put to, and they don't have that much data to decrypt.
The encryption overhead might be non-trivial, depending on how many requests you serve each second---your CPU may suddenly become a bottleneck, where disk (and RAM caching) was the previous bottleneck.
I think the increased duration of a transaction is best explained by extra network roundtrips, not extra computational effort. Or, if you like, it's the highest-impact factor.
since encrypted data doesn't travel across the web as quickly as unencrypted data.
It's probably because of all the extra 1's. They're heavier.
No, seriously, this statement is bovine excrement.
What is true is that encrypted transactions (from SYN to FIN) are slower than unencrypted ones because they transmit more data in more packets using more roundtrips.
Of course, that's not what you tell the (crypto-illiterate) public. But wouldn't "accessing web pages with HTTPS is typically slower than with HTTP" convey exactly the same information to the public, except for the wrong part?
True. But the point wasn't really "what if", the point was that the goal should not be jobs, the goal should be wealth and livelihoods---that is, means whereby people can obtain a certain amount of wealth, enough to live decently by social standards.
While it is true that jobs tend to create wealth (by the job done) and livelihoods (by paying wages), maybe the number of jobs isn't the most important but the wealth generated by them.
A more realistic alternative to more jobs, if we would all suddenly become more effective at producing wealth, is more stay-at-home parents: people not taking jobs because the material needs of the family is met with only one person working.
(For the pedantic: I'm not advocating this kind of society, I'm just suggesting as a plausible situation where fewer jobs and more wealth can coexist.)
I'd say just make sure it costs enough that you benefit from it rather than being hurt by it.
Yeah okay, that work too. Depends on what your purpose is, and what "The Right Purpose" is depends on your vantage point, context and probably other variables.
Also the Marxian view that only the means of production matters, is a bit out of date.
I'm not arguing that view. Leave distribution and marketing to the robots; they're (by unrealistic assumption) programmed to also do that part.
The Marxian view that the only source of wealth is labor
I think I'm especially not arguing that point. At least I'm not arguing that the only source of wealth is human labour---again, leave that to the robot.
On the other hand: the robots originate from human labour. And if nobody ever works, we have no services, and nobody transforms raw natural resources into products, so we have no increase in wealth over what the natural resources are worth in their unprocessed form.
Then again, exactly what is labour? If a behaviour creates or increases value, and we see that and then label it "labour", isn't that some kind of fallacious reasoning?
100,000 - 150,000 new jobs to be created each month just to stay even.
No, what you need is more wealth.
That is, you will need the resources those people will consume over their lifetime: food, textiles, space, vehicles, energy, and so forth. Plus, those people need to have it.
Of course, a sensible thing to ask of those people is to do something in return for being given those resources, e.g. get a job. But that's not a necessity.
Imagine you had robots who could do all the work we need humans for now, and because they were well built, we only rarely needed to repair, dispose and replace them. And the robot nerds volunteer to do this work on behalf of all of society.
Then there's no need for more jobs just because you have more people. Maybe one job per n people, but n >> 1.
Point being: there's no inherent value in jobs, because your job can be doing something that doesn't have any inherent value. The classical example being "9-1: dig ditch; 1-5: fill it again". What has value is the resources people want.
Is there a BT technique that can be applied to web pages?
Sure, can it be that hard?
Give a URI of some resource. Have your web/torrent browser look for peers/seeds who have copies of that resource in some DHT. Ask those who have it to send it to them.
There's absolutely nothing stopping anybody from using BT as the application-layer transport protocol for HTML and other web content.
I'm no expert on P2P networks; maybe other kinds of protocols are better suited.
I think the hard part is making Microsoft implement this in IE, so that everybody will be able to justify switching to this.
There's a story in Freakonomics about a daycare center that had problems with people not picking their kids up on time.
If you offer care from 9 to 5, at 5 o' clock, take the kids that haven't been picked up, walk them out to the curb, tell them to stand there until their parents pick them up, lock up the place and go home.
No kid would want that to happen again, so they'd beg their parents to be there on time. And no parent would want this to happen again either.
Maybe it's reckless endangerment of children. Maybe it's just a plain old dick move. But I think it'd work.
The general point: if you make someone else's behaviour cost them something (financially or emotionally) in order to discourage that behaviour, make sure it costs enough (i.e. too much). Ramp up the fines every time, say by a factor 2. Starting at a measly fiver, it can get expensive really fast.
You expressed my thoughts much more eloquently than I ever could. Thank you very much---it was important for me to see you express my ideas the way I meant them.
Also, good luck getting that radio in your head tuned into where it needs to be.
Slashdot Mirror
How often do you speak out loud in a public place? None of that is encrypted. Someone might overhear you.
When in a public place, you can see who's there. How often do you speak out your VISA card number, expiry date and three-digit security code in public? Okay, that is encrypted. How often do you speak out your Gmail password in public? Or the ssh password to your computer? How often do you leave your wallet and car keys lying around in public?
Maybe we need to come up with a standard way of encrypting things, that our packet sniffers somehow know how to decode. Maybe even with a "relax the crypto" configuration flag we can throw during debug.
And then only let the government and government-approved network administrators have packet sniffers, to avoid the black hats having them? Except that the Nigerian government could hand them out to any Nigerian if it felt like it, so we need trade embargoes, and...
Exactly what's the point of encrypting something if information will still leak out of the encrypted packets?
Or---when in debugging mode you could send some insensitive unencrypted traffic. That way, people can have their encryption and network debuggers can have their not-encryption.
there's no point encrypting things that are not usernames/passwords/sensitive information.
Except in the most rare cases, there's no point in encrypting user names (unless you want to argue by semantic shift).
However, whenever you do anything that requires you to be logged in (i.e. post a comment), you should have to prove that you're the rightful owner of the username you post under.
In other words, in every transaction you send some kind of secret to slashdot that proves you're you.
I want that to be guarded with HTTPS. I don't want anyone else to prove they're me. That means everything I do while I'm logged in has to be HTTPS-guarded.
The sooner web code monkeys get this, the better.
I'd trade 500 bloggers for 5 Times columnists any day of the week.
If you keep your 5 Times columnists, can I have 500 insightful /. commentators?
I've learned more about politics, history, law and economics and a few other topics from reading slashdot than from three years of high school* history classes and all the news paper reading I've ever done.
(* where high school refers to the Danish three-year secondary education (stx))
And although I love being among my fellow {technology, gaming, role playing, science fiction, etc.} geeks, for the sole benefit of them being educative you can keep your Times columnists to yourself if I can have 500 insightful /. commentators.
[I love you guys :)]
The NYT could make it easier to pay for the articles (Text a code to a number, and 25 cents is added to your phone bill)
I don't have international texting as part of my cell phone plan, you insensitive clod!
So again, for so many people who own DivX devices
Isn't that the real problem: that we buy devices that easily could be reprogrammable, but aren't?
Yes, watching software-decoded video on your phone is going to be a bitch, especially on the battery life. But bitchy is better than impossible.
Yeah, it sucks having to spend your afternoon upgrading your wii homebrew linux installation to the newest version and fixing the things that don't work. But it's better to do that and have a working media center than not, right?
Then again, most people don't want the same as me. Why don't people want smart computers with stupid screens, speakers and NICs, instead of the other way around?
Insightful
Well okay, but aside from free voicemail and call forwarding, a free tiling map engine with some of the best map data there is, and the best web search engine, what has Google ever done for us?
The aqueduct?
Uncool is contagious. Cool isn't.
So that's why nobody really cared about sitting at the cool kids' lunch table, right?
Or from 10 Things I Hate About You: "[I do this for you // what do you want from me in return // say hi to me in the hallway // ah, cool by association. Get it]"
Or from "Why Nerds are Unpopular" (http://www.paulgraham.com/nerds.html): "Few smart kids can spare the attention that popularity requires. Unless they also happen to be good-looking, natural athletes, or siblings of popular kids, they'll tend to become nerds."
The world seems to disagree with you.
The typo is easier to spot in fixed font.
Actually, it's just as easy to spot in a proportional font, because what you're comparing isn't a character count but equal prefixes. If they're strcmp-equal, wouldn't they also be pixelwidth-equal, independent of the (constantness of the) char-to-pixelwidth mapping, as long as it doesn't vary per line?
Of course, you're right in your point that it lets you compare character count visually much faster. That seems to be relevant somewhat less often, though.
A single number to identify people would be just as powerful as a SSN or driver's license number. It would make fraud so much easier.
While you are right in practice, it doesn't need to be so in theory.
On /. you are "CopaceticOpus". That is, in the slashdot universe you have a single number which identifies you. Does that make you more vulnerable to /. fraud?
No, you have a password which you use to prove that you are the person identified by the name CopaceticOpus.
The problem with SSNs is that they don't have a password.
Using a single identifier isn't a danger in itself; it just magnifies the underlying problem of not having a secure way to establish which people the identifiers identify (and which they don't).
So when the torrent goes up, Black Hats up identically named torrents that have ascii dumps of /dev/random.
Make the URI a sha1 hash of the contents. That way it can't be faked unless people break sha1.
I am "faced with the knowledge of my own terminal illness"
I take it you've been diagnosed with the dreaded Alive, Well and Happy Syndrome, caused by a complex combination of healthy diet, regular exercise, a low to moderate alcohol consumption, a lack of tobacco or nicotine intake, frequent sexual intercourse and a supportive social network.
Fortunately, it's in decline among US youth; see the article published in pubdot at http://science.slashdot.org/article.pl?sid=10/01/12/1337235
If you consider the same set of data, encrypted winds up being larger than unencrypted, so, technically
I'd call the journey longer rather than being undertaken at a slower velocity, since at constant velocity the encrypted journey takes longer than the unencrypted one.
Oh well, I think "quick" is ambiguous: according to my dict, it can mean either "high value of 1/$s" (hasty) or "low value of $seconds" (soon). Algebraically they should be the same, but the units map to measurements of different phenomena, so they really mean different things.
And now that I think about it, "unencrypted data" and "encrypted data" is somewhat ambiguous: if we assume there's an "all else equals" implied at the end of the sentence, we really run into a contradiction: if both the input string before the encryption (including the non-encrypting identity cipher) and the output string is kept identical, it's really broken. If it's just the length, which is reasonable since that's all which should affect travel speed, it's still bad encryption, just more subtly so and not quite as bad. So exactly which two scenarios are being referred to, here?
So, wait, when I visit a page that has https:/// [https] in front of it my internet connection suddenly slows down?!
No, your access time goes up. You get fewer web pages per second, not fewer bits per second. Your internet connection speed is measured in n bits per second. This measure does not change.
How would encrypted data travel any different than unencrypted date?
You would have more roundtrips during the key exchange phase of SSL. It's not that the data travels slower, it's that there is more of it, and you have to wait for more ping-pong iterations.
but it seems much more likely that this was about them conserving CPU, not about you getting your email faster.
I think Google is acting fairly decently: they're saying "Look, we have a new service. Here why you might want to not use it: [...]". It's truth in advertisement. Even their selfish motive is quite benign, wouldn't you say?
By "not as quickly" they were probably referring to end-users' perspective more than network transmission time.
Actually encryption means that you not only have to send more data, but you also have to do more roundtrips during the initial key exchange protocol.
I would guess (meaning it's a hypothesis, not a Proven True Fact(tm)) that the decryption overhead is negligible: modern desktops and laptops are extremely powerful considering the tasks they're put to, and they don't have that much data to decrypt.
The encryption overhead might be non-trivial, depending on how many requests you serve each second---your CPU may suddenly become a bottleneck, where disk (and RAM caching) was the previous bottleneck.
I think the increased duration of a transaction is best explained by extra network roundtrips, not extra computational effort. Or, if you like, it's the highest-impact factor.
since encrypted data doesn't travel across the web as quickly as unencrypted data.
It's probably because of all the extra 1's. They're heavier.
No, seriously, this statement is bovine excrement.
What is true is that encrypted transactions (from SYN to FIN) are slower than unencrypted ones because they transmit more data in more packets using more roundtrips.
Of course, that's not what you tell the (crypto-illiterate) public. But wouldn't "accessing web pages with HTTPS is typically slower than with HTTP" convey exactly the same information to the public, except for the wrong part?
True. But the point wasn't really "what if", the point was that the goal should not be jobs, the goal should be wealth and livelihoods---that is, means whereby people can obtain a certain amount of wealth, enough to live decently by social standards.
While it is true that jobs tend to create wealth (by the job done) and livelihoods (by paying wages), maybe the number of jobs isn't the most important but the wealth generated by them.
A more realistic alternative to more jobs, if we would all suddenly become more effective at producing wealth, is more stay-at-home parents: people not taking jobs because the material needs of the family is met with only one person working.
(For the pedantic: I'm not advocating this kind of society, I'm just suggesting as a plausible situation where fewer jobs and more wealth can coexist.)
I'd say just make sure it costs enough that you benefit from it rather than being hurt by it.
Yeah okay, that work too. Depends on what your purpose is, and what "The Right Purpose" is depends on your vantage point, context and probably other variables.
Also the Marxian view that only the means of production matters, is a bit out of date.
I'm not arguing that view. Leave distribution and marketing to the robots; they're (by unrealistic assumption) programmed to also do that part.
The Marxian view that the only source of wealth is labor
I think I'm especially not arguing that point. At least I'm not arguing that the only source of wealth is human labour---again, leave that to the robot.
On the other hand: the robots originate from human labour. And if nobody ever works, we have no services, and nobody transforms raw natural resources into products, so we have no increase in wealth over what the natural resources are worth in their unprocessed form.
Then again, exactly what is labour? If a behaviour creates or increases value, and we see that and then label it "labour", isn't that some kind of fallacious reasoning?
100,000 - 150,000 new jobs to be created each month just to stay even.
No, what you need is more wealth.
That is, you will need the resources those people will consume over their lifetime: food, textiles, space, vehicles, energy, and so forth. Plus, those people need to have it.
Of course, a sensible thing to ask of those people is to do something in return for being given those resources, e.g. get a job. But that's not a necessity.
Imagine you had robots who could do all the work we need humans for now, and because they were well built, we only rarely needed to repair, dispose and replace them. And the robot nerds volunteer to do this work on behalf of all of society.
Then there's no need for more jobs just because you have more people. Maybe one job per n people, but n >> 1.
Point being: there's no inherent value in jobs, because your job can be doing something that doesn't have any inherent value. The classical example being "9-1: dig ditch; 1-5: fill it again". What has value is the resources people want.
Is there a BT technique that can be applied to web pages?
Sure, can it be that hard?
Give a URI of some resource. Have your web/torrent browser look for peers/seeds who have copies of that resource in some DHT. Ask those who have it to send it to them.
There's absolutely nothing stopping anybody from using BT as the application-layer transport protocol for HTML and other web content.
I'm no expert on P2P networks; maybe other kinds of protocols are better suited.
I think the hard part is making Microsoft implement this in IE, so that everybody will be able to justify switching to this.
There's a story in Freakonomics about a daycare center that had problems with people not picking their kids up on time.
If you offer care from 9 to 5, at 5 o' clock, take the kids that haven't been picked up, walk them out to the curb, tell them to stand there until their parents pick them up, lock up the place and go home.
No kid would want that to happen again, so they'd beg their parents to be there on time. And no parent would want this to happen again either.
Maybe it's reckless endangerment of children. Maybe it's just a plain old dick move. But I think it'd work.
The general point: if you make someone else's behaviour cost them something (financially or emotionally) in order to discourage that behaviour, make sure it costs enough (i.e. too much). Ramp up the fines every time, say by a factor 2. Starting at a measly fiver, it can get expensive really fast.
You expressed my thoughts much more eloquently than I ever could. Thank you very much---it was important for me to see you express my ideas the way I meant them.
Also, good luck getting that radio in your head tuned into where it needs to be.